So, is ORT getting the certs from traffic vault like it should now? On Thu, Jan 19, 2017 at 3:16 PM, Nir Sopher <[email protected]> wrote:
> Yes, the parameter is set correctly. > The ssl_multicert.config file is on the server in the specified directory. > The /opt/trafficserver/etc/trafficserver/ssl/ directory however is > missing. > Thanks, > Nir > > On Thu, Jan 19, 2017 at 11:44 PM, Dave Neuman <[email protected]> wrote: > > > The certificates should be put on the cache by ORT. Do you have a > location > > parameter for ssl_multicert.config? If not, you will need to create that > > and assign it to your EDGE profile in order for ORT to know to get the > > certificates. > > Param Name = location > > Config File Name = ssl_multicert.config > > Value = /opt/trafficserver/etc/trafficserver > > > > On Thu, Jan 19, 2017 at 2:19 PM, Nir Sopher <[email protected]> wrote: > > > > > OK! > > > Thank you! > > > > > > After applying the patch, the curl command indeed showed me the > > > certificates. > > > The traffic-server ort script run "successfully", pulling > > > ssl_multicert.config. > > > > > > However when trying to work with https, I got an SSL error due to a > > missing > > > certificate on the servers. This was the case for both traffic router > and > > > traffic-server. > > > Furthermore, the traffic router went insane... > > > > > > I then created a new traffic router, and it apparently pulled the > > > certificates. The redirects worked perfectly. > > > Still my traffic server was missing the certificates themselves.Adding > a > > > new traffic server did not help. it still had the problem. > > > > > > I worked around the problem by creating the etc/trafficserver/ssl > > directory > > > on the traffic-server, and placing there a self signed certificate with > > the > > > proper names. > > > > > > Any idea why the certificates did not get to the server? > > > I did not find any related message in the ort script output. Is it the > > one > > > that should bring the certs? > > > > > > Thank you again, > > > Nir > > > > > > > > > However, the certificates > > > > > > On Thu, Jan 19, 2017 at 5:02 PM, Dave Neuman <[email protected]> > wrote: > > > > > > > Can you try curl -kvs "https://admin:password@riakURL > > > > :8088/search/query/sslkeys?wt=json&q=cdn:nirs-tc1-cdn" and let me > know > > > > what > > > > that returns? > > > > It should return to you the ssl certs for your delivery service. If > it > > > does > > > > not can you try to go into the “Paste Keys” screen in traffic ops, > > press > > > > the save button to save the SSL certs again, and then re-run the > curl? > > > > If they are still not showing up after that you may have hit a bug we > > > found > > > > earlier that is now fixed in master where the content-type isn’t set > > > > correctly on the PUT to Riak. The workaround is to change line 104 of > > > > traffic_ops/app/lib/Connection/RiakAdapter.pm from return $ua->put( > > > $fqdn, > > > > Content => $value ); to return $ua->put( $fqdn, Content => $value, > > > > 'Content-Type'=> $content_type ); and restart traffic_ops. After you > > > > restart Traffic Ops go into the paste keys screen, save your keys > > again, > > > > and run the curl again. > > > > Let me know how it goes. > > > > > > > > Thanks, > > > > Dave > > > > > > > > > > > > On Thu, Jan 19, 2017 at 7:46 AM, Steve Malenfant < > [email protected] > > > > > > > wrote: > > > > > > > > > In not probably the one that can explain that to you, but I believe > > > there > > > > > is additional settings in riak for TC >1.7. I've heard of enabling > > riak > > > > > search and new security parameters... > > > > > > > > > > On Thu, Jan 19, 2017 at 8:35 AM Nir Sopher <[email protected]> wrote: > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > > > > > > > > > After a reboot, key generation indeed works. Thank you:) > > > > > > > > > > > > However, the traffic server still encounter the issue: > > > > > > > > > > > > ERROR result for http://ops.nirs-tc1.tc-dev. > > qwilt.com/api/1.2/cdns/ > > > > > > > > > > > > name/nirs-tc1-cdn/sslkeys.json is: ...{"message":"No SSL > > certificates > > > > > > found > > > > > > > > > > > > for nirs-tc1-cdn"}... > > > > > > > > > > > > FATAL http://ops.nirs-tc1.tc-dev.qwilt.com/api/1.2/cdns/ > > > > > > > > > > > > name/nirs-tc1-cdn/sslkeys.json returned HTTP 404! > > > > > > > > > > > > > > > > > > > > > > > > Can it be that something is badly configured in my > > delivery-service? > > > Or > > > > > > > > > > > > maybe in my traffic ops configuration? > > > > > > > > > > > > Maybe an RPM missing? > > > > > > > > > > > > > > > > > > > > > > > > Thank you both again. > > > > > > > > > > > > Nir > > > > > > > > > > > > > > > > > > > > > > > > On Thu, Jan 19, 2017 at 3:12 PM, Steve Malenfant < > > > [email protected] > > > > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > Have you tried to simply restart Traffic Ops? We've seen ours > > (1.6) > > > > not > > > > > > > > > > > > > being able to create Certificates after a while. > > > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Jan 18, 2017 at 11:10 PM, Nir Sopher <[email protected]> > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > ERROR result for > > > > > > http://ops.nirs-tc1.tc-dev.qwilt.com/api/1.2/cdns/name/ > > > > > > > > > > > > > > nirs-tc1-cdn/sslkeys.json is: ...{"message":"No SSL > > certificates > > > > > found > > > > > > > > > > > > > for > > > > > > > > > > > > > > nirs-tc1-cdn"}... > > > > > > > > > > > > > > FATAL http://ops.nirs-tc1.tc-dev. > qwilt.com/api/1.2/cdns/name/ > > > > > > > > > > > > > > nirs-tc1-cdn/sslkeys.json returned HTTP 404! > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Thu, Jan 19, 2017 at 12:43 AM, Dave Neuman < > > [email protected] > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > What error are you getting in ORT? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Jan 18, 2017 at 11:57 AM, Nir Sopher < > [email protected] > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > OK. > > > > > > > > > > > > > > > > I called the command from traffic op and got the below > > > output, > > > > > > which > > > > > > > > > > > > > > > looks > > > > > > > > > > > > > > > > ok to me. > > > > > > > > > > > > > > > > So now I know that adding a certificate via the "paste" > > > screen > > > > > > works > > > > > > > > > > > > > > (and > > > > > > > > > > > > > > > > not only say "success"). > > > > > > > > > > > > > > > > Still, pulling the configuration via the ort script > fails. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Regarding the log, no message during the certificate > paste. > > > My > > > > > log > > > > > > > > > > > > > cfg > > > > > > > > > > > > > > is > > > > > > > > > > > > > > > > also paste below. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 10x, > > > > > > > > > > > > > > > > Nir > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > $ cat /opt/traffic_ops/app/conf/production/log4perl.conf > > > > > > > > > > > > > > > > log4perl.rootLogger = ERROR, SCREEN, FILE > > > > > > > > > > > > > > > > log4perl.appender.FILE = Log::Log4perl::Appender::File > > > > > > > > > > > > > > > > log4perl.appender.FILE.layout = PatternLayout > > > > > > > > > > > > > > > > log4perl.appender.FILE.layout.ConversionPattern = > > > > [%d{ISO8601}] > > > > > > [%p] > > > > > > > > > > > > > > > %m%n > > > > > > > > > > > > > > > > log4perl.appender.FILE.filename = > > > > /var/log/traffic_ops/traffic_ > > > > > > > > > > > > > ops.log > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > log4perl.appender.SCREEN = Log::Log4perl::Appender:: > Screen > > > > > > > > > > > > > > > > log4perl.appender.SCREEN.layout = PatternLayout > > > > > > > > > > > > > > > > log4perl.appender.SCREEN.layout.ConversionPattern = > > > > > [%d{ISO8601}] > > > > > > > > > > > > > [%p] > > > > > > > > > > > > > > > > %m%n > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > $ curl -k "https://admin:admin123@vault- > > > > > > > > > > > > > int.nirs-tc1.tc-dev.qwilt.com: > > > > > > > > > > > > > > > > 8088/riak/ssl/ynet-images-latest" > > > > > > > > > > > > > > > > {"cdn":"nirs-tc1-cdn","deliveryservice":"ynet-images" > > > > > > > > > > > > > > > > ,"certificate":{"csr":" > > > > > > > > > > > > > > > > LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS > > BSRVFVRVNULS0tLS0NCk1JSUI2REND > > > > > > > > > > > > > > > > QVZFQ0FRQXdnYWN4\nQ3pBSkJnTlZCQVlUQWtsTU1ROHdEU > > > > > > > > > > > > > > > > VlEVlFRSURBWkpjM0poWld3eEZEQVMNCkJnTlZCQWNNQzBo\ > > > > > > > > > > > > > > > > ndlpFaGhjMmhoY205dU1RNHdEQVlEV > > lFRS0RBVlJkMmxzZERFTE1Ba0dBMVV > > > > > > > > > > > > > > > > FQ3d3Q1VVTXgNCk5U\nQXpCZ05WQkFNTUxDb3VlVzVsZEMxc > > > > > > > > > > > > > > > > GJXRm5aWE11Ym1seWN5MTBZekV0WTJSdUxuUmpMV1JsZGk1\ > > > > > > > > > > > > > > > > namNXeHYNCmRXUXVZMjl0TVIwd0d3W > > UpLb1pJaHZjTkFRa0JGZzV1YVhKelF > > > > > > > > > > > > > > > > IRjNhV3gwTG1OdmJU\nQ0JuekFOQmdrcWhraUcNCjl3MEJBU > > > > > > > > > > > > > > > > UVGQUFPQmpRQXdnWWtDZ1lFQTAxVWZnbzZrcEJOMGNQOEV5\ > > > > > > > > > > > > > > > > nVXY4MW9WNFB2WlJoM2V5dmViNjBaZ > > nQNCldjblZ0Zk53N1ZJRW52Q1ByU0J > > > > > > > > > > > > > > > > 6b25MajI4NGoyUGcv\nQkhQQ3Rudmc2N2N5bXRKT2pJVU4rZ > > > > > > > > > > > > > > > > XoyRXkvSUxnUXYNCkdjZFQ0RmErTGZmcXFudUc3Y3gxcDRU\ > > > > > > > > > > > > > > > > nR3k2aGpYdFNPZ2R0YklyNFhEajJiW > > lBIVTVxTFlkak1QSXZXc2M5aGkNCmV > > > > > > > > > > > > > > > > QY0NBd0VBQWFBQU1B\nMEdDU3FHU0liM0RRRUJCUVVBQTRHQ > > > > > > > > > > > > > > > > kFDRGJQUlFSM1RkNWh1QmtQMUg3V0l4ejdjNU8NCnJsYnpn\ > > > > > > > > > > > > > > > > nWHlxcEpjRFg2Q3RJaEd1d1orYkxIa > > 3Y4dXdsMUoyZm5QTWM3TlB4UGxjbXY > > > > > > > > > > > > > > > > 0RWU3RXpJQ3dJTzBr\ncTMNClFvdksraEp1MDJLTE1peUp5b > > > > > > > > > > > > > > > > HZpT1VEeWlldEtPdEpDNlVKelNhZEpjWjVnSmJzNjNiRk83\ > > > > > > > > > > > > > > > > nWmlpbDQ0UmdKaFYNCklBMSsyYUwwU > > 0hmeTY4R2cNCi0tLS0tRU5EIENFUlR > > > > > > > > > > > > > > > > JRklDQVRFIFJFUVVF\nU1QtLS0tLQ==","crt":" > > > > > > > > > > > > > LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS > > > > > > > > > > > > > > > > 0tLS0tDQpNSUlDeHpDQ0FqQUNDUURvZlNRcTJpcnQ4REFO\ > > > > > > > > > > > > > > > > nQmdrcWhraUc5dzBCQVFVRkFEQ0Jwe > > kVMTUFrR0ExVUVCaE1DDQpTVXd4RHp > > > > > > > > > > > > > > > > BTkJnTlZCQWdNQmts\nemNtRmxiREVVTUJJR0ExVUVCd3dMU > > > > > > > > > > > > > > > > 0c5a1NHRnphR0Z5YjI0eERqQU1CZ05WDQpCQW9NQlZGM2FX\ > > > > > > > > > > > > > > > > neDBNUXN3Q1FZRFZRUUxEQUpSUXpFM > > U1ETUdBMVVFQXd3c0tpNTVibVYwTFd > > > > > > > > > > > > > > > > sdFlXZGxjeTV1DQph\nWEp6TFhSak1TMWpaRzR1ZEdNdFpHV > > > > > > > > > > > > > > > > jJMbU54Ykc5MVpDNWpiMjB4SFRBYkJna3Foa2lHOXcwQkNR\ > > > > > > > > > > > > > > > > nRVdEbTVwDQpjbk5BY1hkcGJIUXVZM > > jl0TUI0WERURTNNREV4TmpFeE5UQTB > > > > > > > > > > > > > > > > NbG9YRFRFNE1ERXhO\nakV4TlRBME1sb3dnYWN4DQpDekFKQ > > > > > > > > > > > > > > > > mdOVkJBWVRBa2xNTVE4d0RRWURWUVFJREFaSmMzSmhaV3d4\ > > > > > > > > > > > > > > > > nRkRBU0JnTlZCQWNNQzBodlpFaGhjM > > mhoDQpjbTl1TVE0d0RBWURWUVFLREF > > > > > > > > > > > > > > > > WUmQybHNkREVMTUFr\nR0ExVUVDd3dDVVVNeE5UQXpCZ05WQ > > > > > > > > > > > > > > > > kFNTUxDb3VlVzVsDQpkQzFwYldGblpYTXVibWx5Y3kxMFl6\ > > > > > > > > > > > > > > > > nRXRZMlJ1TG5SakxXUmxkaTVqY1d4d > > mRXUXVZMjl0TVIwd0d3WUpLb1pJDQp > > > > > > > > > > > > > > > > odmNOQVFrQkZnNXVh\nWEp6UUhGM2FXeDBMbU52YlRDQm56Q > > > > > > > > > > > > > > > > U5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDDQpnWUVB\ > > > > > > > > > > > > > > > > nMDFVZmdvNmtwQk4wY1A4RXlVdjgxb > > 1Y0UHZaUmgzZXl2ZWI2MFpmdFdjblZ > > > > > > > > > > > > > > > > 0Zk53N1ZJRW52Q1By\nU0J6DQpvbkxqMjg0ajJQZy9CSFBDd > > > > > > > > > > > > > > > > G52ZzY3Y3ltdEpPaklVTitlejJFeS9JTGdRdkdjZFQ0RmEr\ > > > > > > > > > > > > > > > > nTGZmcXFudUc3Y3gxDQpwNFRHeTZoa > > lh0U09nZHRiSXI0WERqMmJaUEhVNXF > > > > > > > > > > > > > > > > MWWRqTVBJdldzYzlo\naWVQY0NBd0VBQVRBTkJna3Foa2lHD > > > > > > > > > > > > > > > > Qo5dzBCQVFVRkFBT0JnUUJha0tKaTNrN1hOUDljWTZ0K05i\ > > > > > > > > > > > > > > > > nT0hNVWJPWVI0WWE2Y2xKN3cyYU1CS > > TNYdjNZMUcyDQo5K1ZxajA1cDZXaU8 > > > > > > > > > > > > > > > > xWVNGWWRBb2QxSnRD\nNDRieUt4NWRBbTNKdnZrUWZNNU8xb > > > > > > > > > > > > > > > > 09zNG8yWnhrMXRmZmVqN3NkDQpCSDBKOGdqSkhYbmg0TWFm\ > > > > > > > > > > > > > > > > neHhzR09KSXhOSXI3aDA5cTZYUENaT > > lVVaTROQnRrRzVVM2dsUnB0YWlnPT0 > > > > > > > > > > > > > > > > NCi0tLS0tRU5EIENF\nUlRJRklDQVRFLS0tLS0=","key":" > > > > > > > > > > > > > > > > LS0tLS1CRUdJTiBSU0EgUFJJVkFURS > > BLRVktLS0tLQ0KTUlJQ1hRSUJBQUtC > > > > > > > > > > > > > > > > Z1FEVFZSK0NqcVNr\nRTNSdy93VEpTL3pXaFhnKzlsR0hkN > > > > > > > > > > > > > > > > 0s5NXZyUmwrMVp5ZFcxODNEdA0KVWdTZThJK3RJSE9pY3VQ\ > > > > > > > > > > > > > > > > nYnppUFkrRDhFYzhLMmUrRHJ0ekthM > > Gs2TWhRMzU3UFlUTDhndUJDOFp4MVB > > > > > > > > > > > > > > > > nVnI0dA0KOStxcWU0\nYnR6SFduaE1iTHFHTmUxSTZCMjFza > > > > > > > > > > > > > > > > XZoY09QWnRrOGRUbW90aDJNdzhpOWF4ejJHSjQ5d0lEQVFB\ > > > > > > > > > > > > > > > > nQg0KQW9HQkFNQmpSL0pGQldGUlRMb > > nBqMlBweDExTDJISUpMNk9SdHFqbTl > > > > > > > > > > > > > > > > BT0d1Yzc1elpKODhw\nczZCWGJrTFFoQQ0KK01RMHIzYlZMU > > > > > > > > > > > > > > > > kZDdmF2Qjdzck43NjdtOGlzU3JMWGZWK09MeGlQU2NGMHZk\ > > > > > > > > > > > > > > > > nck5Zd1k4YlREMnl5SnpnM0hYcA0KU > > FVvZDBMQzlzMmdlcW5kRU1ha21BYkJ > > > > > > > > > > > > > > > > 2T1ZHNkxKMTF1NXVU\nV1FBdWhPYmg0NzN4QWtFQS9ValN6a > > > > > > > > > > > > > > > > jVxUVk2bA0KeVJ2eVh2enM4S0RWVjZCc3k4eHNIaUJjNUg3\ > > > > > > > > > > > > > > > > ndEdiL3B3WGZaZ0RDQ0xkaUlBSzdVZ > > 0lmOHZlbDkxNEM1dFB0Zg0KdEhxZEd > > > > > > > > > > > > > > > > 5bXJ1d0pCQU5XWktB\nT2dXN0VZVXJ3OWFTdjlKM0Z3dHp4W > > > > > > > > > > > > > > > > E9NZURpTnNtbW40OXJ5dmN2bmR6dEVlVA0KOWVybVJsM0N3\ > > > > > > > > > > > > > > > > nSE1uZ0ZIS2VYVmJ1dENoWlkvZDZaK > > y83ZlVDUUZPaUlEbUowbndqSmdycDk > > > > > > > > > > > > > > > > zWDEvaWJXZEp1aQ0K\nbFVvV0RmMUVvbWV3b1luSEhPQ05Pb > > > > > > > > > > > > > > > > nhoaUJxclRQMHN2VzVUZU5rY3FEam9nR21LTjJmWXROZXJR\ > > > > > > > > > > > > > > > > ndEVDUUJWZQ0KM25jR2EwWWJ0ZU5wa > > llVK0xkMFd0dTZObDN1MnVGR2MyaVk > > > > > > > > > > > > > > > > 1UzdacXZvKzYvdFdP\nZ3pNK1dObjJxMFNhTmlkNA0KeDVBc > > > > > > > > > > > > > > > > lhsU1RZVkwway9STXdxVUNRUUR6SFoyT0JRbHJEdmFyWWIy\ > > > > > > > > > > > > > > > > nek1KZkFpMjRmV0lCQ1VTM2tuSmNzZ > > Gt3bA0Kc1BseVFZRndDRUMySzh6Y01 > > > > > > > > > > > > > > > > DaFVTcVRuZ0NlWWpK\nenJNbXU4Qkp1M1VCNmENCi0tLS0tR > > > > > > > > > > > > > > > > U5EIFJTQSBQUklWQVRFIEtFWS0tLS0 > > t"},"version":"5","hostname":" > > > *. > > > > > > > > > > > > > > > > ynet-images.nirs-tc1-cdn.tc-dev.qwilt.com","key":"ynet- > > > > images"} > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Jan 18, 2017 at 8:01 PM, Dave Neuman < > > > > [email protected]> > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > The second curl would be: curl -k " > > > > > > > > > > > > > > > > > https://admin:admin123@vault- > > > int.nirs-tc1.tc-dev.qwilt.com:8 > > > > > > > > > > > > > > > > > 088/riak/ssl/ynet-images-latest > > > > > > > > > > > > > > > > > " > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > If that works from your traffic_ops host then it should > > > also > > > > > work > > > > > > > > > > > > > > when > > > > > > > > > > > > > > > > you > > > > > > > > > > > > > > > > > go into the paste keys screen. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Turning on Debug logging might also help. You can set > > > > > > > > > > > > > > > > log4perl.rootLogger = > > > > > > > > > > > > > > > > > ERROR, SCREEN, FILE in traffic_ops/app/conf/ > > > > > > > > > > > > > production/log4perl.conf > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Try that out and send me what, if anything, you see in > > the > > > > log. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Dave > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Jan 18, 2017 at 9:14 AM, Nir Sopher < > > > [email protected]> > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks Dave, > > > > > > > > > > > > > > > > > > I am pasting the keys through the Manange SSL Keys -> > > > Paste > > > > > > > > > > > > > > Existing > > > > > > > > > > > > > > > > Keys > > > > > > > > > > > > > > > > > > screen. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Below is the output of the curl commands: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > $ curl -k "https://admin:admin123@vault- > > > > > > > > > > > > > > > int.nirs-tc1.tc-dev.qwilt.com: > > > > > > > > > > > > > > > > > > 8088/buckets/ssl/keys?keys=true" > > > > > > > > > > > > > > > > > > {"keys":["ynet-images-5","ynet-images-latest","ynet- > > > > > > > > > > > > > > > > > > images-4","ynet-images-3"]} > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > $ curl -k "https://admin:admin123@vault- > > > > > > > > > > > > > > > int.nirs-tc1.tc-dev.qwilt.com: > > > > > > > > > > > > > > > > > > 8088/riak/ssl/xmlid-latest" > > > > > > > > > > > > > > > > > > not found > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Nir > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Jan 18, 2017 at 4:56 PM, Dave Neuman < > > > > > > [email protected]> > > > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > That sucks that it still doesn't work :( > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Lets start with the config. You said you had to > set > > ` > > > > > > > > > > > > > > > > > > > listener.https.internal= 0.0.0.0:8088`, we have > that > > > > > > > > > > > > > configured > > > > > > > > > > > > > > > with > > > > > > > > > > > > > > > > > the > > > > > > > > > > > > > > > > > > > IP > > > > > > > > > > > > > > > > > > > of the riak server, but if you can successfully > make > > > curl > > > > > > > > > > > > > > requests > > > > > > > > > > > > > > > > from > > > > > > > > > > > > > > > > > > the > > > > > > > > > > > > > > > > > > > traffic_ops server, then I guess that is ok. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > As for the error you are getting...that error is > > > > basically > > > > > > > > > > > > > saying > > > > > > > > > > > > > > > > that > > > > > > > > > > > > > > > > > > Riak > > > > > > > > > > > > > > > > > > > cannot find the SSL Keys that you are looking for. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Which endpoint are you using when you get that > error? > > > > Are > > > > > > you > > > > > > > > > > > > > > > going > > > > > > > > > > > > > > > > > > > through the Manange SSL Keys -> Paste Existing Keys > > > > screen? > > > > > > Or > > > > > > > > > > > > > > are > > > > > > > > > > > > > > > > you > > > > > > > > > > > > > > > > > > > hitting an API? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > You should be able to see if the keys exist by > > running > > > > > `curl > > > > > > > > > > > > > -k > > > > > > > > > > > > > > > > > > > "https://admin:password@ > > riakURL:8088/buckets/ssl/keys? > > > > > > > > > > > > > > keys=true"` > > > > > > > > > > > > > > > > and > > > > > > > > > > > > > > > > > > > looking for XMLID-latest in the list of keys; you > > could > > > > > also > > > > > > > > > > > > > run > > > > > > > > > > > > > > > > `curl > > > > > > > > > > > > > > > > > -k > > > > > > > > > > > > > > > > > > > "https://admin:password@ > riakURL:8088/riak/ssl/xmlid- > > > > > latest"` > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > > > > Dave > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Tue, Jan 17, 2017 at 1:57 PM, Nir Sopher < > > > > > [email protected]> > > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thank you Dave:) > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Indeed I was using Riak 2.2 with TC 1.7. > > > > > > > > > > > > > > > > > > > > I moved now to Riak 2.1.3 (same traffic ops, just > > > > > replaced > > > > > > > > > > > > > the > > > > > > > > > > > > > > > > > vault). > > > > > > > > > > > > > > > > > > > > I see the same issues. The only change is the > added > > > log > > > > > > > > > > > > > > messages > > > > > > > > > > > > > > > in > > > > > > > > > > > > > > > > > > > traffic > > > > > > > > > > > > > > > > > > > > ops log during certificate generation: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > [2017-01-17 20:29:58,119] [ERROR] Active Server > > > Severe > > > > > > Error: > > > > > > > > > > > > > > > 404 - > > > > > > > > > > > > > > > > > > > > vault-int.nirs-tc1.tc-dev.qwilt.com:8088 - not > > found > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Nir > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Tue, Jan 17, 2017 at 6:56 PM, Dave Neuman < > > > > > > > > > > > > > > [email protected]> > > > > > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Hey Nir, > > > > > > > > > > > > > > > > > > > > > I think I can help here. First of all, what > > > version > > > > of > > > > > > > > > > > > > > Traffic > > > > > > > > > > > > > > > > > > Control > > > > > > > > > > > > > > > > > > > > are > > > > > > > > > > > > > > > > > > > > > you running and which version of Riak are you > > > > running? > > > > > > We > > > > > > > > > > > > > > have > > > > > > > > > > > > > > > > > seen > > > > > > > > > > > > > > > > > > > > issues > > > > > > > > > > > > > > > > > > > > > using newer versions of Riak with Traffic > Control > > > 1.7 > > > > > and > > > > > > > > > > > > > > 1.8. > > > > > > > > > > > > > > > > > Those > > > > > > > > > > > > > > > > > > > > > issues should be resolved in the next release. > > For > > > > now > > > > > > we > > > > > > > > > > > > > > > > > recommend > > > > > > > > > > > > > > > > > > > you > > > > > > > > > > > > > > > > > > > > > use Riak 2.1.x and not 2.2.x > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Once I know that we can start digging deeper. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > > > > > > Dave > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Tue, Jan 17, 2017 at 9:44 AM, Nir Sopher < > > > > > > > > > > > > > [email protected]> > > > > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I am trying to launch a traffic vault and > > connect > > > > it > > > > > to > > > > > > > > > > > > > my > > > > > > > > > > > > > > > > > > > traffic-ops > > > > > > > > > > > > > > > > > > > > > > server. > > > > > > > > > > > > > > > > > > > > > > I followed the instructions in the admin > guide > > > > > > > > > > > > > > > > > > > > > > <http://traffic-control-cdn. > > > > > > > > > > > > > net/docs/latest/admin/traffic_ > > > > > > > > > > > > > > > > > > vault.html > > > > > > > > > > > > > > > > > > > >, > > > > > > > > > > > > > > > > > > > > > > installing riak <http://goog_1273226474 > > >2.2.0-1 > > > > > > > > > > > > > > > > > > > > > > <http://s3.amazonaws.com/ > > > > > downloads.basho.com/riak/2.2/ > > > > > > > > > > > > > > > > > > > > > > 2.2.0/rhel/6/riak-2.2.0-1.el6.x86_64.rpm> > > > > > > > > > > > > > > > > > > > > > > working with a self signed certificate > (created > > > via > > > > > the > > > > > > > > > > > > > > > > > > instructions > > > > > > > > > > > > > > > > > > > in > > > > > > > > > > > > > > > > > > > > > > this > > > > > > > > > > > > > > > > > > > > > > <http://www.akadia.com/ > > > > services/ssh_test_certificate > > > > > . > > > > > > > > > > > > > html> > > > > > > > > > > > > > > > > link) > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I had to deviate from the document in a few > > > places > > > > in > > > > > > > > > > > > > order > > > > > > > > > > > > > > > to > > > > > > > > > > > > > > > > > > > > progress: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > - Replacing the host part in the riak > > listener > > > > > > > > > > > > > > > configuration > > > > > > > > > > > > > > > > > > with > > > > > > > > > > > > > > > > > > > > > > 0.0.0.0. Using real hostname made riak to > > > fail. > > > > > e.g. > > > > > > > > > > > > > > > > > > > > > > listener.https.internal > > > > > > > > > > > > > > > > > > > > > > = 0.0.0.0:8088 > > > > > > > > > > > > > > > > > > > > > > - Setting ssl.cacertfile to point at the > > > > > server.crt > > > > > > > > > > > > > (as > > > > > > > > > > > > > > > this > > > > > > > > > > > > > > > > > is > > > > > > > > > > > > > > > > > > a > > > > > > > > > > > > > > > > > > > > self > > > > > > > > > > > > > > > > > > > > > > signed certificate): ssl.cacertfile = > > > > > > > > > > > > > > > > > /etc/riak/certs/server.crt > > > > > > > > > > > > > > > > > > > > Note > > > > > > > > > > > > > > > > > > > > > > that I assume that this certificate is > only > > > used > > > > > for > > > > > > > > > > > > > > > > "traffic > > > > > > > > > > > > > > > > > > > vault > > > > > > > > > > > > > > > > > > > > > > https" > > > > > > > > > > > > > > > > > > > > > > connections. > > > > > > > > > > > > > > > > > > > > > > - In traffic ops, I initially set the "tcp > > > port" > > > > > to > > > > > > > > > > > > > > "8098" > > > > > > > > > > > > > > > > and > > > > > > > > > > > > > > > > > > > > "https > > > > > > > > > > > > > > > > > > > > > > port" to "8088". When traffic ops tried to > > > > connect > > > > > > the > > > > > > > > > > > > > > > vault > > > > > > > > > > > > > > > > > it > > > > > > > > > > > > > > > > > > > did > > > > > > > > > > > > > > > > > > > > it > > > > > > > > > > > > > > > > > > > > > > via > > > > > > > > > > > > > > > > > > > > > > port "8098", so I changed the "tcp port" > to > > > > "8088" > > > > > > in > > > > > > > > > > > > > > > order > > > > > > > > > > > > > > > > > for > > > > > > > > > > > > > > > > > > > > https > > > > > > > > > > > > > > > > > > > > > > to be > > > > > > > > > > > > > > > > > > > > > > used. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Validating the installation using curl -kvs " > > > > > > > > > > > > > https://admin > > > > > > > > > > > > > > > > > > > > > > :password@riakserver > > > > > > :8088/search/query/sslkeys?wt=json& > > > > > > > > > > > > > > > > > > q=cdn:mycdn" > > > > > > > > > > > > > > > > > > > > > > Produced the below output: > > > > > > > > > > > > > > > > > > > > > > < HTTP/1.1 200 OK > > > > > > > > > > > > > > > > > > > > > > < Server: MochiWeb/1.1 WebMachine/1.10.9 > (cafe > > > not > > > > > > found) > > > > > > > > > > > > > > > > > > > > > > < Date: Wed, 11 Jan 2017 12:26:07 GMT > > > > > > > > > > > > > > > > > > > > > > < Content-Type: application/json; > charset=UTF-8 > > > > > > > > > > > > > > > > > > > > > > < Content-Length: 571 > > > > > > > > > > > > > > > > > > > > > > < > > > > > > > > > > > > > > > > > > > > > > {"responseHeader":{"status":0, > > > > > > > > > > > > > > "QTime":176,"params":{"shards" > > > > > > > > > > > > > > > :" > > > > > > > > > > > > > > > > > > > > > > > > > > > > vault-int.nirs-tc1.tc-dev.qwilt.com:8093/internal_solr/ > > > > > > > > > > > > > > > sslkeys > > > > > > > > > > > > > > > > > > > > > > ","q":"cdn:nirs-tc1-cdn","wt":"json"," > > > > > > > > > > > > > > > > > > > > > > vault-int.nirs-tc1.tc-dev.qwilt.com:8093 > > > > > ":"(_yz_pn:62 > > > > > > > > > > > > > AND > > > > > > > > > > > > > > > > > > > > (_yz_fpn:62)) > > > > > > > > > > > > > > > > > > > > > OR > > > > > > > > > > > > > > > > > > > > > > _yz_pn:61 OR _yz_pn:58 OR _yz_pn:55 OR > > _yz_pn:52 > > > OR > > > > > > > > > > > > > > _yz_pn:49 > > > > > > > > > > > > > > > > OR > > > > > > > > > > > > > > > > > > > > > _yz_pn:46 > > > > > > > > > > > > > > > > > > > > > > OR _yz_pn:43 OR _yz_pn:40 OR _yz_pn:37 OR > > > _yz_pn:34 > > > > > OR > > > > > > > > > > > > > > > > _yz_pn:31 > > > > > > > > > > > > > > > > > OR > > > > > > > > > > > > > > > > > > > > > > _yz_pn:28 OR _yz_pn:25 OR _yz_pn:22 OR > > _yz_pn:19 > > > OR > > > > > > > > > > > > > > _yz_pn:16 > > > > > > > > > > > > > > > > OR > > > > > > > > > > > > > > > > > > > > > _yz_pn:13 > > > > > > > > > > > > > > > > > > > > > > OR _yz_pn:10 OR _yz_pn:7 OR _yz_pn:4 OR > > > > > > > > > > > > > > > > > > > _yz_pn:1"}},"response":{"numFo > > > > > > > > > > > > > > > > > > > > > > und":0,"start":0,"maxScore":0.0,"docs":[]}} > > > > > > > > > > > > > > > > > > > > > > * Connection #0 to host > > > vault-int.nirs-tc1.tc-dev. > > > > > > > > > > > > > > qwilt.com > > > > > > > > > > > > > > > > left > > > > > > > > > > > > > > > > > > > > intact > > > > > > > > > > > > > > > > > > > > > > * Closing connection # > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > However, when I created a delivery-service > and > > > > tried > > > > > to > > > > > > > > > > > > > > > > > "generate" > > > > > > > > > > > > > > > > > > a > > > > > > > > > > > > > > > > > > > > > > certificate via traffic-ops, I got the below > > > > message: > > > > > > > > > > > > > > > > > > > > > > SSL keys for <ds> could not be created. > > Response > > > > > was: > > > > > > > > > > > > > > Error > > > > > > > > > > > > > > > > > > creating > > > > > > > > > > > > > > > > > > > > key > > > > > > > > > > > > > > > > > > > > > > and csr. Result is -1 > > > > > > > > > > > > > > > > > > > > > > No log message found int traffic_ops log or > in > > > the > > > > > riak > > > > > > > > > > > > > > log, > > > > > > > > > > > > > > > to > > > > > > > > > > > > > > > > > > > explain > > > > > > > > > > > > > > > > > > > > > the > > > > > > > > > > > > > > > > > > > > > > issue. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > When pasting a certificate (self signed, > > > including > > > > > the > > > > > > > > > > > > > > "----" > > > > > > > > > > > > > > > > > > headers > > > > > > > > > > > > > > > > > > > > and > > > > > > > > > > > > > > > > > > > > > > footers), the operation succeed. However, > when > > > the > > > > > > > > > > > > > traffic > > > > > > > > > > > > > > > > > servers > > > > > > > > > > > > > > > > > > > > tried > > > > > > > > > > > > > > > > > > > > > to > > > > > > > > > > > > > > > > > > > > > > pull this configuration, I got the below > > message: > > > > > > > > > > > > > > > > > > > > > > ERROR result for > > > > > > > > > > > > > > > > > > > > > > > > > > > > http://ops.nirs-tc1.tc-dev.qwilt.com/api/1.2/cdns/name/ > > > > > > > > > > > > > > > > > > > > > > nirs-tc1-cdn/sslkeys.json > > > > > > > > > > > > > > > > > > > > > > is: ...{"message":"No SSL certificates found > > for > > > > > > > > > > > > > > > > > nirs-tc1-cdn"}... > > > > > > > > > > > > > > > > > > > > > > FATAL > > > > > > > > > > > > > > > > > > > > > > > > > > > > http://ops.nirs-tc1.tc-dev.qwilt.com/api/1.2/cdns/name/ > > > > > > > > > > > > > > > > > > > > > > nirs-tc1-cdn/sslkeys.json > > > > > > > > > > > > > > > > > > > > > > returned HTTP 404! > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Any idea what may cause these issues? > > > > > > > > > > > > > > > > > > > > > > Any experience in debugging similar issues? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > > > > > > > Nir > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
